Certificate/Two-Factor Authentication for ClearPass Application Login Service Template

Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.

Certificate/Two-Factor Authentication for Policy Manager Application Login Service Template

This service template allows administrators and operators to log in to Policy Manager using a smart card and TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. (Transport Layer Security) certificates. To log in using a smart card and TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. certificates, ensure that the services are configured using the Certificate/Two-Factor Authentication for ClearPass Application Login service template.

Adding a Service to the Template

To access the Certificate/Two-Factor Authentication Service service template:

1. Navigate to Configuration > Service Templates & Wizards.

2. From the Service Templates & Wizards page, select Certificate/Two-Factor Authentication Service. The Service Templates - Certificate/Two-Factor Authentication Service page opens to the General tab.

Figure 1 Certificate/Two-Factor Authentication Service Template

Specify the Certificate/Two-Factor Authentication for ClearPass Application Login service template parameters as described in the following table:

Table 1: Policy Manager Certificate/Two-Factor Authentication Service Template Parameters
Parameter	Action/Description
General
Select Prefix	Select a prefix from the existing list of prefixes. This field populates the pre-configured information in the Authentication, SP details, and Enforcement Details sections. The Name Prefix field is not editable.
Name Prefix	Enter a prefix that you want to append to services using this template. Use this to identify services that use templates.
Service Rule
Application	Select the application for which SAML Security Assertion Markup Language. SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication.-based Single Sign-On (SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts.) should be enabled from the following options: Policy Manager, Guest, Insight, and Onboard.
Authentication
Select Authentication Source	Select an authentication source from the list. The information provided in the Authentication, Enforcement Details, and SP details tabs are auto-populated.
Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. Name	Enter the hostname or the IP address of the Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. server. This field is mandatory.
Description	Enter a description that helps you to identify the characteristics of this template. This field is mandatory.
Server	Enter the hostname or the IP address of the Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. server. This field is mandatory.
Port	Enter the TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port where the server is listening for a connection. The default value is value defaults to 389. This field is mandatory.
Identity	Enter the DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate. of the administrator account. This field is mandatory.
Password	Enter the account password. This field is mandatory.
NETBIOS	Enter the server Active Directory Microsoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain name. This field is mandatory.
Base DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.	Enter the Distinguished Name (DN Distinguished Name. A series of fields in a digital certificate that, taken together, constitute the unique identity of the person or device that owns the digital certificate. Common fields in a DN include country, state, locality, organization, organizational unit, and the “common name”, which is the primary name used to identify the certificate.) of the administrator account. This field is mandatory.
IdP Details
Page Name	3. Select the Web Login pages from the drop-down list. For more information, see the next section, Creating a New Web Login Page.
Enforcement Details
Certificate Attribute - Super Admin Condition	Select the certificate attribute from the drop-down list. Enter the value in the Super Admin Condition field that matches the Certificate Attribute value to provide the super administrator access.
Certificate Attribute - Read Only Admin Condition	Select the certificate attribute from the drop-down list. Enter the value in the Read Only Admin Condition field that matches the Certificate Attribute value to provide the Read-Only administrator access.
Certificate Attribute - Help Desk Admin Condition	Select the certificate attribute from the drop-down list. Enter the value in the Help Desk Admin Condition field that matches the Certificate Attribute value to provide the help desk administrator access.

Creating a New Web Login Page

To create a new Web Login page:

1. Click the Add New Guest Web Login page link. This opens the Policy Manager Guest application in which you can create a new Guest Web Login page.

2. To log in using a smart card and TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. certificates, navigate to ClearPass Guest > Configuration > Pages > Web Logins.

3. In the Vendor Settings field, select Single Sign On -SAML Identity Provider.

a. When you select Optional - Request a client certificate from the user, but allow none from the Client Certificate field, the user needs to provide a certificate, username, and password.

b. When you select Required - Require a client certificate from the user from the Client Certificate field, the user needs to provide only certificates for authentication.

This enables the Authentication field with the following options:

Certificate only - No username or password required: Requires only certificate authentication.

Credentials - Also require a username and password: Requires the username and password.